How do I prevent virt-manager from asking for the root password?

Question

When starting virt-manager, it asks for the root password.

It looks like virt-manager causes the libvirtd daemon to run pkcheck with a couple of arguments, which then shows this authentication dialog. So it's PolicyKit who's asking for the root password.

The official website (libvirt.org) describes how to define a PolicyKit rule to get rid of the password prompt:

$ sudo cat /etc/polkit-1/localauthority/50-local.d/50-org.example-libvirt-remote-access.pkla
[libvirt Management Access]
Identity=unix-group:libvirt
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

The subdirectory "localauthority" did not exist. Creating it and putting a file with that name and content (libvirt -> my group name) in there does not seem to have any effect. Also, there's a default file, which uses JavaScript syntax:

/etc/polkit-1/rules.d/50-default.rules

This package is installed on the system, plus a few DE frontends:

polkit-0.107-4.fc18.x86_64

Apparently the example configuration on libvirt.org is outdated?

What configuration is necessary to get rid of the password prompt (for a specific user group)?

Answer 1

/etc/polkit-1/rules.d/10.virt.rules:

polkit.addRule(function(action, subject) {
    if (action.id == "org.libvirt.unix.manage"
            && subject.local
            && subject.active
            && subject.isInGroup("libvirt")) {
        return polkit.Result.YES;
    }
});

You'll have to perform common steps including restarting policykit and starting a new session with the respective user after adding him to the libvirt group.

It looks like the resource is about Fedora 18 but it uses the javascript syntax already so it's most probably valid for Fedora 19 as well.

Links:

• http://goldmann.pl/blog/2012/12/03/configuring-polkit-in-fedora-18-to-access-virt-manager/
• http://niranjanmr.wordpress.com/2013/03/20/auth-libvirt-using-polkit-in-fedora-18/
• http://davidz25.blogspot.in/2012/06/authorization-rules-in-polkit.html

Answer 2

I found that simply adding my user to libvirt and kvm groups stopped the prompts.

sudo usermod -a -G libvirt $(whoami)
sudo usermod -a -G kvm $(whoami)

whoami outputs your username that way it will get replaced by your username automatically

Answer 3

The password prompt was made for system security so if you do this might make it vulnerable.

1. Create the Group group on your machine. or you can run this "sudo groupadd -r Group"

2. You can any user you want to this system group by runing "sudo usermod -a -G Group User"

3. Now you need to create our PolicyKit policy that will allow the users of Group to run virt-manager

you will create a file at this path:"/etc/polkit-1/localauthority/50-local.d/50-org.Group-libvirt-local-access.pkla"
and you will put lines below in it

[Allow group Group libvirt management permissions]
Identity=unix-group:Group
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

Thats all you needed to do now you can run it. And i hope this helps you.

Answer 4

I would actually use

sudo usermod -a -G libvirt $(whoami)
sudo usermod -a -G kvm $(whoami)

That way just copy pasting would work directly since whoami outputs your username